VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 27, 2025· Updated Jan 27, 2025

TP-Link TL-SG108E HTTP GET Request usr_account_set.cgi get request method with sensitive query strings

CVE-2025-0730

Description

TP-Link TL-SG108E switch exposes credentials in GET request URL via /usr_account_set.cgi, allowing remote information leakage.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

TP-Link TL-SG108E switch exposes credentials in GET request URL via /usr_account_set.cgi, allowing remote information leakage.

Vulnerability

The vulnerability resides in the /usr_account_set.cgi endpoint of TP-Link TL-SG108E switch firmware version 1.0.0 Build 20201208 Rel. 40304. The handler transmits the username and password arguments via a GET request, exposing sensitive credentials in the URL. This affects the unknown function of the HTTP GET Request Handler [1][2].

Exploitation

An attacker can exploit this remotely by intercepting network traffic, accessing browser history, or analyzing server logs where the GET request with credentials is stored. The attack complexity is high, but exploitation is considered difficult [1][2].

Impact

Successful exploitation leads to disclosure of credentials (username and password), compromising the confidentiality of the switch's account credentials. This could allow unauthorized access to the device's management interface [1][2].

Mitigation

Upgrading to version 1.0.0 Build 20250124 Rel. 54920(Beta) addresses the issue. The vendor provided a pre-fix version. For a permanent fix, the application should use POST instead of GET for transmitting sensitive data [1][2].

References
  1. TP-Link France – Le meilleur du WiFi partout. La maison 100% connectée Tapo
  2. Public-Disclosures-CVE-/tp-link sensitive info in GET.md at main · TheCyberDiver/Public-Disclosures-CVE-

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • TP-Link/TL-SG108Ellm-fuzzy2 versions
    <=1.0.0 Build 20201208 Rel. 40304+ 1 more
    • (no CPE)range: <=1.0.0 Build 20201208 Rel. 40304
    • (no CPE)range: 1.0.0 Build 20201208 Rel. 40304

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

6

News mentions

0

No linked articles in our index yet.